A lot of attention has been focused on computer network liability and technology insurance lately, and with good reason. Rarely a week passes without a report of data loss from a carefully planned network security breach or identity-theft incident. Are stolen laptops a liability? Yes. But that's just one area of a larger, more complex issue. Technology and computer network liabilities are real, they're rampant and they're no longer reserved for technology providers.
Technology errors-and-omissions policies have been around for a long time--almost as long as legacy computer systems themselves. Then the Internet came of age, and computer network liability policies entered the picture. It's almost 20 years later now, and the policy forms have legacy issues of their own.
As the tech-related liability exposures have evolved, coverage once reserved only for those in the technology sector is now seen as a necessity for traditional businesses with any level of technology infrastructure.
The good news is there is broader recognition of the need with each new report of a data breach. The bad news is that neither the legacy technology products nor the traditional professional liability policies can respond adequately to the need.
A technology E&O or computer network liability policy originally crafted for a technology company cannot be used to cover the exposures of a traditional company--a bank, a manufacturer, a retailer or a hospital. One cannot simply manuscript an endorsement and patch it onto an existing insurance policy. To borrow a technology analogy, that would create pervasive "system incompatibility."
Legacy insurance policies have not kept pace with the new technology work environment. Rarely do they cover the spectrum of technology-related exposures of a traditional company--exposures from network security breaches, business interruptions and other technology-related errors. Data-theft incidents, like those regularly reported in the news, were far less frequent a decade ago. When they did occur, it was on a much narrower scale. Unfortunately, many insurance policies for traditional companies are still being written today without the clear recognition that computer systems and networks are now critical to the success of the enterprise.
The influx of technology tools into areas where they had not, until recently, been used on a day-to-day basis has shifted the risk management focus. Businesses in all industry segments have become dependent on technology to deliver products and services to customers. They use Internet-accessible servers to store and manage access to information that, in turn, establishes platforms for business professionals to perform their job. This dependency leads to a higher probability for errors and omissions, and to elevated levels of the principal risks associated with technology--keeping data private and networks secure and operational.
WHERE THE GAPS ARE
When it comes to technology exposures, traditional companies likely have gaps in their legacy insurance policies, exposing them to technology-related risks. For example, it is not uncommon that:
* General liability policies exclude crime and theft-related losses; whether or not such loss is of tangible or intangible property becomes irrelevant.
* Crime/fidelity policies exclude coverage for losses that arise as a result of technology breaches and technology-related crimes.
* E&O and professional liability policies exclude coverage relating to computers, computer systems and computer networks.
With older computer network and Internet liability policies, there is usually a lack of broad coverage for network security, intellectual property and media exposures. As these areas of exposure have historically been addressed in silo policies, gaps arise due to inconsistencies in policy language, definitions and insuring agreements. Furthermore, policy structure and language can lead to inconsistent and ambiguous professional liability and technology liability coverage within the same policy.
With coverage gaps come knowledge gaps. Or, perhaps, it's the knowledge gaps that produce these coverage gaps. It's not apparent whether there is simply a lack of expertise in technology-related policies, or whether underwriters are choosing not to apply their experience to address the exposures of traditional companies with technology exposures.
What is certain is the need for buyers of professional liability insurance to be acutely aware of the knowledge and expertise of their underwriter. This becomes challenging when the buyer is a traditional company looking for coverage to deal with its technology and computer network exposures. The challenge is this: If the underwriter does not have the requisite knowledge, how can she adequately mitigate a policyholder's risk?
Perhaps it's best to illustrate by example. Professional liability underwriters are generally very knowledgeable within their areas of expertise, and they will be adept at analyzing areas of exposure and crafting coverage to appropriately transfer risk. However, a professional liability loss typically arises out of a one-to-one relationship: The professional performs a service for a fee for a client; the client sustains some injury due to error or omission; and the injured client sues the professional.
Technology loss, on the other hand, typically arises out of a one-to-many relationship. When a business loses customer data, regardless of how the loss occurs, it affects hundreds, thousands, even millions, potentially. The technology policy underwriter is often a key contributor in helping a company's risk manager and insurance intermediary understand and quantify the relevant exposures. Underwriters that have worked with technology and Internet companies in the past are better prepared to help traditional companies come to terms with the risks they're facing. It's important for buyers and brokers to seek guidance from insurance carriers with these experts who are familiar with the risks and liabilities of technology.
BUILDING A NEW SOLUTION
Merely endorsing a technology coverage onto an existing legacy insurance policy is inadequate. To start, most insurance applications do not capture all of the information that would be required to adequately assess and underwrite technology risks. Doing the job right necessitates an entirely new application, one that captures information about technology infrastructure, processes, operations and personnel, as well as how these are integrated throughout the organization in the delivery of products and services. Viewed from this perspective, a technology "patch" endorsed onto an existing insurance policy becomes dangerously insufficient--it appears to address the exposure, but the appearance is deceiving.
Education continues to be the big unmet need, as traditional companies are demanding information about their technology exposures and seeking risk-transfer solutions. The demand for knowledge is strong and rising, but the supply of expertise is lagging. It requires a partnership between the carriers that develop the policies, the brokers that act as consultants in the distribution channel, and the companies that are at risk and seeking a legitimate risk-transfer solution. Helping companies quantify their exposure will be a critical step in overcoming this knowledge gap.
Carriers are identifying and quantifying the risks within the coverage restrictions of legacy insurance policies, and some have developed new products that specifically respond to the technology exposure coverage gap within companies not in the technology sector. These new policies are explicitly worded to address technology-related exposures for traditional companies. Specifically, some policies address related coverage areas like technology E&O, Internet liability and computer network liability in the same policy--a good practice to eliminate coverage gaps.
To continue filling knowledge and coverage gaps, large agencies should consider the desirability of an in-house expert who has technology- or Internet-company experience and can be directed to traditional companies needing coverage for technology exposure. Seminars and industry associations are also playing a role in education and thought leadership.
The bottom line is this: Businesses' reliance on technology has widened their professional liability profile. Proper enterprise risk management demands that these businesses enhance their insurance profile to mitigate these risks. Agents and brokers must continue building upon their knowledge to assist in the process. And insurance carriers must adapt to these emerging needs with research and development aimed at technology-appropriate insurance products. If not, the consequences can be dire. Will your client or your business be the next to report a data loss affecting hundreds of thousands of customers? It's a risk that probably cannot be avoided entirely, but it can certainly be mitigated.
is the lead underwriter for the Tech//404 technology and information liability product from Darwin Professional Underwriters Inc.
June 1, 2007
Copyright 2007© LRP Publications